Public Health as a Model for Cybersecurity Information Sharing

Abstract

Policy proposals often feature information sharing as a means to improve cybersecurity, but lack specificity connecting these activities to specific goals intended to advance the state of cybersecurity. We use the Doctrine of Cybersecurity as a lens to examine existing information sharing efforts and evaluate the utility of information sharing proposals. Leaning on the analogous public good-oriented field of public health, we extract insights on how these information policies and practices evolved to promote goals while actively mediating among values. Based on our review of specific public health information sharing systems, we derive a set of four principles—expert and collaborative data governance, reporting minimization and decentralization, earliest feasible de-identification, and limitations on use—to guide the development of information sharing proposals within the cybersecurity context, and include an analysis of specific sharing mechanisms—data access modes and sharing platforms—that inform the implementation of these four principles. We conclude with a set of recommendations for consideration within the context of cybersecurity information sharing proposals.